On Tue, Oct 28, 2003 at 13:23:43 +0100, Adam Hardy wrote: > On 10/28/2003 12:06 PM Tim Funk wrote: > >I think they can and you'll break AOL users. AOL and other large > >entities sometimes employ megaproxies where the user might appear to be > >coming from different ip addresses. > > > >The guaranteed way to prevent session hijacking is by using ssl. (And > >making sure your site is not victim to css attacks) > > BTW, what are css attacks?
Cross-site scripting attack. If an attacker can put text into your application which are echoed back verbatim within the HTML source for different users, the attacker can insert javascript code to "steal" the cookies and other malicious things, which will be executed by the victim when the page is rendered in his/her browser. To avoid such attacks, you should for example make sure you HTML encode data you send (i.e. change < and > to < and > etc) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
